Introduction

The Caja Compiler is a tool for making third party HTML, CSS and
JavaScript safe to embed in your website. It enables rich
interaction between the embedding page and the embedded
applications. Caja uses an object-capability security model to allow
for a wide range of flexible security policies, so that your website
can effectively control what embedded third party code can do with
user data.

The Caja Compiler supports most HTML and CSS and the recently standardized
"strict mode" version of JavaScript -- even on older browsers that
do not support strict mode. It allows third party code to use new
JavaScript features on older browsers that do not support them.

How do I start?

Benefits of using Caja

New JavaScript Features. Caja emulates all the new features of ECMAScript 5,
including getters and setters, non-enumerable properties, and read-only properties.
New browsers support these features natively, but older browsers still have a significant
user base. Caja emulates these new features on browsers that don't support them natively.

Mashups. Caja-compiled code is safe to inline directly in a page,
so it's easy to put many third-party apps into the same page and allow them to exchange
JavaScript objects. They can even inherit CSS styles from the host page.
At the same time, the host page is protected from the embedded apps:
they can't redirect pages to phishing sites, sniff internal networks or browser history,
or steal cookies.

Safely extends JSON with code. Until Caja, website authors that wished to consume data
provided by a RESTful service had a dilemma: make their site vulnerable to the author
of the JavaScript library that interacts with the service or write their own. With Caja,
a service can supply both JSON and JavaScript, and websites can compile the JavaScript
using Caja to make it safe to embed in their page.